Protecting your infrastructure with Google Authenticator as 2FA

It's 2015 and passwords are still the most widely used authentication mechanism for accessing our personal data and technology resources. Honestly, it's something I don't see changing for a long time to come, so if we're going to keep using passwords we may as well do what we can to suppliment a little extra security. Done right, even a little bit can go a long way.

Currently, Two-Factor Authentication (2FA) is one of the easiest ways to extend the life of your passwords (but please do not consider this as an alternative to good password storage. 2FA should only be a suppliment.) Fortunately, Google has provided a simple solution in the form of Google Authenticator. Google Auth is Google's open source 2FA project based on the open OAuth standard. It's pretty light-weight, and doesn't take much time to setup. The code should compile on any POSIX-compliant system that uses pam, so if your distribution doesn't have a binary package available you can feel free to just compile it yourself.

Google also provides client apps free-of-charge for Android, iOS, and blackberry to generate your user tokens. (And the source for everything is up on github if you feel the desire to poke-around or customize anything.)

In the examples here, I will show you how to setup Google Auth to protect ssh on a Debian system. We will assume local access to the machine has been physically restricted and will not required 2FA.

Install the packages

Starting from Debian Jessie, the Google Auth package is available in the standard Debian repos. All you need to do is use apt to install it.

First install the prerequisites (in this case, just the qr library)

$ sudo apt-get install libqrencode3

Then you can install the pam library

$ sudo apt-get install libpam-google-authenticator

If you are still using Debian Wheezy, you can download and use this dpkg which I've compiled for my machines. Once downloaded, installation is simple:

$ sudo dpkg -i google-authenticator.deb

Edit your configuration files

First, we will modify /etc/pam.d/sshd to call our newly installed Google Auth module. You can add the following to the head of your configuration:

auth required pam_google_authenticator.so

Once saved, you will still need to make sure the following directive in set in your /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

This will enable your ssh instance to call pam in order to use Google Auth. Don't forget to restart the service:

$ sudo service google_authenticator restart

Allowing access

Now that Google Auth is setup, it will only allow users to log into ssh with a valid OTP token. Of course, if you haven't created your user's authorization config, this won't be possible. Using the google-authenticator utility, we can do this quickly. As the user in question, just run the utility:

Once finished, a QR code should be presented to you in the terminal (along with a link to generate the QR code on a temporary google web-page.) Feel free to let the user scan the code into their mobile Google Authenticator app. If you want to manually enter the seed into your app instead, you can find it in the .google_authenticator file you just generated.

In just a few minutes worth of time, you will now have a more resilient authentication process for your system. You can just as easily plug this into other parts of your system using pam, but I will leave that experiment as a little homework for the reader.